
Weris© @We_Have_Risen 

7 Nov 15 tweets We Have Risen/status/1325129915709104129 


Good morning Dominion... 


You ready to get your ass handed to you? 


^ Werise 

@We_Have_Risen 

Thank you 15... 



In light oF this video, which mirrors what happened in VA, 
let's look at a Few things shall we... 



I WJBK 12:31 PM ET 


^ KEY STATES ★ 


BLOOMFIELD 


HILLS 


Ml 


VOTE DIFFERENCE 


ARIZONA ID 


+43,779 


GEORGIA IQ 


+ 1,584 


NEVADA 


+20,542 


N. CAROLINA |Q 


+76,701 


PENNSYLVANIA 


+9,854 


DOW 


BUSINESS 


t^LIVE 


NAS 


Ml GOP CHAIR GIVES UPDATE ON ELECTION 

■ . 


11.868.13 ▼2^.79 rami RUSS 2K 1.650.64 ▼9.41 E 


28 , 321.39 

68.79 


- 0 . 24 % 


^ OnBreak @15poundstogo 

I would strongly suggest Following .@We_Have_Risen 

IF we're gonna see any serious evidence oF large-scale ghost voting, or 

not, that's where to look. twitter.com/We_Have_Risen/... 

11:42 PM-Nov 6, 2020 © 

© 2.8K Q 1.9K people are Tweeting about this 
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ONSTXTBeco'O 
Social Media Presence 

• Blacklisted IP on Same Subnet 

• Ma/ic/ous IP c 
■‘'ffi/iaie 


Same Subnet 

Small 


dress 


Blacklisted IP on Same Subnet 
Malicious IP on Same Subnet 
IB Affiliate - Email Address 
Physical Address 
Bi Nelblock Membership 
Human Name 
Similar Domain 
Phone Number 
Company Name 

(Accepts Uploads) 

; URL (Purely Static) 

^B (Uses Javascript) 

^B RIRs/APIs 

^B Country 
Bi Physical Location 
^B Carknet Mention URL 
BB Web Content Language 
^B Intemet Name 
^B Affiliate • Web Content 
^B Search Engines Web Content 
^B Affiliate • Internet Name 
ra IP Address 

SSL Certificate - Issued to 

A 1/'' V 


We have quite a bit to work with overnight 

































No honor amongst thieves 


You have something to say I suggest you say it now. You will be exposed and we will 
hunt every last one... 


Total Data Elements Correlations Top 5 Data Families Top 5 Data Sources 

16,724 

Unique Data Elements 

6,675 

Errors 

479 

Descriptive External 513 ipf-pistry 293 


High 

Medium 

> 

Protocol Dju 

2,101 

^ ijtgetWobiiti. 

2,520 

52 

18 


Network Object 

1,516 

Wigle.net 

553 

Lout 

iRfO 

‘ 

Web Data 

S45 

Netw«»«5DB 

504 

75 

0 

* 

Online Sub-Resour^v 

583 

Ahmia 

492 


S Running correlation rules... 


Data Elements: Unique vs. Non-unique 


l.ili.ii. illiliilil jillliiiiiii.illhi. .Ill 




Care to explain why you are blacklisted and show up on the Threat Intel sites 75+ 
times ifii 


Passive DNS Replication 

Date resolved IP 

2019-04-01 206.223,190.87 


Siblings 


Nwww.domlnionvoting.com 

104.18.90.9 

104.18.91.9 

104.17.157.193 

colorado.dominionvoting.com 

23.236.62.147 



webmail.dominionvoting.com 

104.18.90.9 

104.18.91.9 

206.223.190.87 

autodiscover.dominionvoting.com 

52.96.79.136 

52.96.79.24 

52.96.79.200 

portal.dominionvoting.com 

69.172.237.101 



fileshare.domlnionvotlng.com 

204.132.121.10 



barracuda.dominionvoting.com 

206.223.190.82 



www.colorado.dominionvoting.com 

185.230.61.96 

185.230.60.195 

185.230.60.211 

customer.dominionvoting.com 

204.132.121.4 




Historical Whois Lookups 

Last Updated Registrar 

+ 2020-04-02 GoDaddy.com, LLC 

Graph Summary 



Ahhhhh, that explains it... 


Makes me feel so much better you are all over the Dark Web... 


Data Element 


Source Data Element 


!■ Darknet Mention URL wAhmia O •♦i . O 

http://dj ypjjvw532evfw3.onion/contact2. php 

Darknet Mention URL VAhmia ^ O ^1-0 

http://hackurxal34aznxe.onion/new-page-2.html 

^ Darknet Mention URL VAhmia iJi O O 

http://f2ml76y3n4u5bln2.onion/contact-us.html 

Darknet Mention URL VAhmia ^ O O 

http://f2mlifo2towfutnd.onion/contact-us. html 

!■ Darknet Mention URL VAhmia fji 0 ^1. O 

http://wp6pqfeoyq3znslr.onion/contact.html 

!■ Darknet Mention URL VAhmia O - O 

http://vkjnr3hudjado6vgfiydgivcg5ouj2siyd7ui4fprnzuzcvcf4xkiuy 


O ES Email Address irSkymem 453 O O 

contact(adominionvoting. com 

O m Email Address ¥ Skymem jJj 453 O O 

contact@dominionvoting.com 

O S Email Address w Skymem ifi 453 O O 

contact(adom inionvoting, com 

O S Email Address V Skymem 453 O O 

contact@dominionvoting.com 

O m Email Address V Skymem 453 O O 

contact(adominionvoting. com 

O S Email Address V Skymem ^ 453 O O 

contact(adominionvoting. com 


That’s cool can you make sure that Cloudfare only blocks the transmission of 
@ realDonaldTrum p votes? K thanks 










Data Element Source Data Element 

Si Malicious Internet Name i|lCloudFlare Malware ONS 0 O 1 - O O 3 Internet Name VRisklQ .'Si 12 Ol O 

Blocked by CloudFlare DNS [selector2._domainkey.dominionvoting selector2._domainkey.dominionvoting.com 

. com] 

a Malicious Internet Name V CloudFlare Malware DNS Os Internet Name VRisklQ 10 Ol O 

Blocked by CloudFlare DNS [selectorl._domainkey.dominionvoting selectorl._domainkey.dominionvoting.com 

. com] 


Making more and more sense... 
Honeypot for who though? 


honeypot_tracker (risk level: 5) [23.236.62.147] 

S Details •K Relationships ^ Direct Children (0) # Instances (1) 

-H Discovery Path O Correlations (1) 

R Annotation 

Data Type 

Malicious IP Address 

Data Family 

S Status Description 

Starred 

No 

Risky Data Type? 

A Yes 

Source Module(s) 

Fraudguard 

Data Source(s) 

Fraudguard 

Raw Data 

honeypot_tracker (risk 

level: 5) [23.236.62.147] 



I Summary > Module: Leak-Lookup > Risky: Yes (9 results) 

S Hacked Email Address ¥ Leak-Lookup 0 Oo 41 2 O 

steven.bennett@dominionvoting.com [verifications.io] 

S Hacked Email Address ¥ Leak-Lookup fJi 0 Oo 41 2 O 

steven.bennett@dominionvoting.com [evite.com] 

Hacked Email Address ¥ Leak-Lookup 0 Oo 41 2 O 

Steven.bennett@dominionvoting.com [linkedin.com] 

Hacked Email Address ¥ Leak-Lookup 0 Oo 41 2 O 

kay.stimson@dominionvoting.com [apollo.io] 

Hacked Email Address ¥ Leak-Lookup 0 Oo 41 2 O 

jim.alexander@dominionvoting.com [verifications.io] 

Hacked Email Address ¥ Leak-Lookup 0 Oo 41 2 O 

nakia.brown@dominionvoting.com [apollo.io] 


That’s cool because those httpd’s are secure right? 




I Summary Module: SHODAN Risky: Yes (40 results) 


Data Element 


0 Software Used 

¥ SHODAN if. 0 

O 0 

41 3 

o 

Microsoft 

Exchange smtpd 



0 Software Used 

¥ SHODAN sh 0 

O 0 

41 3 

o 

Rhinosoft 

Serv-U httpd 




O Software Used 

¥ SHODAN if, 0 

O 0 

41 3 

o 

Microsoft 

IIS httpd 




0 Software Used 

¥ SHODAN .fi 0 

O 0 

41 3 

o 

Microsoft 

IIS httpd 




0 Software Used 

¥ SHODAN sh 0 

Oo 

41 3 

o 

Microsoft 

IIS httpd 




0 Software Used 

¥ SHODAN 0 

O 0 

41 3 

o 


Microsoft IIS httpd 


I have captured quite a bit the last couple of days. Shoot me what you got and I will 
do the same 

Q John ^ 

@Johnherel;ohelp 

Replying to @Johnheretohelp 

And porn sites. There was access through the LISPS. 

One odd thing. 

Dominion WAS NOT HACKED as Far as I can tell now. They 
had access to it already, they just approached it From 
multiple directions to hide their activity. 

These weren't"glitches"(^(^ 

4:12 PM • Nov 7. 2020 O 

O 2.8K Q 1.6K people are Tweeting about this 


Porn sites like this one 




KEY RftCt A 


to 


U,S. PfiESID 

vO^ES hI+G 




LlKBEEl 


PtHMYlVAkLii 


mZOMA 



MiatCTSmMAP 


NEW VOTES COMING IN FROM PENNSYLVANIA 


ISftyiiAPRESmpiri 

TRUMP 


BIDEN 


Wow these people are comp’d af... 


I haven’t really even dug in yet but it is a joke how bad it is... 













$ Module Category 

* Risky 

w Unique 

Content Analysis 

0 

1841 

Crawling and Scanning 

0 

845 

DNS 

Q 

277 

Internal 

0 

3 

Leaks, Dumps and Breaches 

a 

39 

Passive DNS 

0 

884 

Public Registries 

0 

47 

Real World 

0 

102 

Reputation Systems 

ea 

1159 

Search Engines 

ca 

1130 

Secondary Networks 

0 

577 

Social Media 

0 

48 



1 Summary Module Category: Leaks, Dumps and Breaches (1 -100 out of 1237 results) 

W4 H M »M 

n 

IB 

EB 

Data Element 

Source Data Element 


S Compromised Password ^ Scylla ^0 O 0 'tl i O 

phil.fosteriadominionvoting.com:0diel218 [Collections] 

O S Domain Name SpiderFoot Ul 

dominionvoting.com 

.-f. 133 

O 0 

o 

9 Compromised Password ^ Scylla 0 O 0 1 O 

jack.blaine@dominionvoting.com:Bruins69 [avvo.com] 

O S Domain Name ¥SpiderFootUI 

dominionvoting.com 

.-f. 133 

O 0 

o 

9 Compromised Password ^ Scylla ^ u O 0 Ml O 

joe.mcintyre@dominionvoting.com:peanut00 [Collections] 

O S Domain Name ^SpiderFoot Ul 

dominionvoting.com 

.-f. 133 

O 

o 

9 Compromised Password Scylla fK 0 Oo I O 

joe.mcintyre@dominionvoting.com:Peanut00 [Collections] 

O s Domain Name #SpiderFoot Ul 

dominionvoting.com 

.-f. 133 

O 0 

o 

9 Compromised Password ¥ Scylla ^0 O ^1 1 O 

jelena.tanaskovic@dominionvoting.com:dzigibau [Collections] 

O S Domain Name ¥SpiderFoot Ul 

dominionvoting.com 

.-f. 133 

O 0 

o 

9 Compromised Password V Scylla 0 O 0 1 O 

Christina.reich@dominionvoting.com:6V21wbgad [Collectionl-btc- 

O S Domain Name ^SpiderFoot Ul 

dominionvoting.com 

.-h 133 

O 0 

o 


Occasional travel “both” domestic... 





@ 

nick.ikonomakis@dominionvoting.... 

@ 

security@dominionvoting.com 

@ 

mediaiSidominionvoting.o 

i 

Occasional travel both domestic... 

@ 

dana.latour@dominionvoting.com 

@ 

sales@dominionvoting.com 

@ 

kevin.defries@dommionvotin 



@ 

mark.beckstrand@dominionvoting.... 

@ 

john.hastings@dominionvoting.com 

@ 

pria.ingrum@dominionvotin( 


@ 

waideep.singh@dominionvoting.com 


What a tangled web we weave 




Everyone... 


Let’s look at the election security laws/guidance by state... 


GA blaming the “glitch” on a software update is their biggest mistake as the machines 
are not supposed to be connected... 


We know they are and they admitted it... 
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81 Compromised Password Hash 


j ohn. poulos^ominionvot ing. co«i: $2a$ 
08$5FuqF4OOfHD^IFL0yg(^l5P8.MK^t1wlOmal 
j6irIp5Bv2WSPVoK.i2yu [dropbox.com) 
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